URL:
<http://savannah.gnu.org/bugs/?45381>
Summary: sudo screen - bash logs root commands to user
.bash_history
Project: GNU Screen
Submitted by: None
Submitted on: Tue 23 Jun 2015 12:54:57 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 4.2.1
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
If screen is started via sudo, then the bash logs all commands typed by root
to the .bash_history file of the user that issued the sudo command. They are
then readable by that user.
This is a security issue.
Observed both in the latest commit (d77e2be25149c8593c611bc785e16fc062cb26c4)
as well as in Ubuntu 14.04 (Screen version 4.01.00devel (GNU) 2-May-06).
Example:
user@host:/mnt/medium/user/git/screen$ sudo src/screen
[screen is starting]
root@host:/mnt/medium/user/git/screen# echo THIS_IS_SECRET__R_O_O_T__STUFF
THIS_IS_SECRET__R_O_O_T__STUFF
root@host:/mnt/medium/user/git/screen#
[screen is terminating]
user@host:/mnt/medium/user/git/screen$ tail -1 ~/.bash_history
echo THIS_IS_SECRET__R_O_O_T__STUFF
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?45381>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
